TempleGold

Summary

The SpiceAuction::claim and DaiGoldAuction::claim functions allow users to claim rewards for a specific epoch. However, there is an issue that results in users who deposited a small amount, such as 1 unit, always receiving 0 as a reward when certain conditions are met.

Vulnerability Details

https://github.com/Cyfrin/2024-07-templegold/blob/57a3e597e9199f9e9e0c26aab2123332eb19cc28/protocol/contracts/templegold/SpiceAuction.sol#L209

https://github.com/Cyfrin/2024-07-templegold/blob/57a3e597e9199f9e9e0c26aab2123332eb19cc28/protocol/contracts/templegold/DaiGoldAuction.sol#L150

The vulnerability arises from the following code snippet in the claim function:

If info.totalAuctionTokenAmount is less than info.totalBidTokenAmount, the mulDivRound operation will result in a claimAmount that rounds down to 0 for users who deposited a small amount. This occurs because the multiplication and division operation does not provide a sufficient result when the bidTokenAmount is very small relative to the other values.

Impact

Users who deposit a small amount, such as 1 unit, will always receive a reward of 0 if info.totalAuctionTokenAmountis less than info.totalBidTokenAmount. This can lead to dissatisfaction among users and a lack of trust in the fairness of the reward distribution system.

Tools Used

Manual Review

Recommendations

1. Implement a minimum claim amount to ensure users receive a non-zero reward when they are eligible.

2. Consider using a more precise arithmetic operation or handling small bid amounts separately to avoid rounding issues.

3. Add comprehensive tests to cover edge cases where info.totalAuctionTokenAmount is less than info.totalBidTokenAmount to ensure fair reward distribution.